TalkTalk said it had been subjected to a ‘significant and sustained’ attack on its website on 21 October.
Photograph: Stefan Wermuth/Reuters

A 20-year-old man arrested in connection with the cyber-attack on telecoms firm TalkTalk has been released on bail. Scotland Yard said he will attend a police station in early March pending further inquiries. He had been held on suspicion of offences under the Computer Misuse Act.

The man, who was detained at an address in Staffordshire on Saturday, is the third person to be held in relation to the alleged data theft. Two teenagers were previously arrested over the cyber-attack. A 16-year-old boy, from Feltham in west London, was held on suspicion of computer misuse after a search of his home on Thursday. The teenager has been bailed to a date yet to be confirmed. And a 15-year-old boy from County Antrim in Northern Ireland was arrested on Monday and was bailed until a date in November.

The investigation is being carried out by the Metropolitan police’s cybercrime unit, the Police Service of Northern Ireland’s cybercrime centre and the National Crime Agency. The latest breach is the third in a spate of cyber-incidents affecting TalkTalk in the last year. Police confirmed that officers have also searched a residential property in Liverpool in connection with the incident.

TalkTalk said it had been subjected to a “significant and sustained” attack on its website on 21 October, which prompted fears that millions of people may have had their bank details stolen. The telecoms company has since said the data hacked was “significantly less than originally suspected” with fewer than 21,000 unique bank account numbers and sort codes accessed.

Last December, one of TalkTalk’s third party suppliers suffered an internal data breach which meant that some non-financial customer information was illegally accessed, while, in August, Carphone Warehouse, which hosts the mobile.talktalk.co.uk website alongside a number of others, was subject to a cyber attack, a TalkTalk spokeswoman said.

Meanwhile, Vodafone said nearly 2,000 customers were “open to fraud” after hackers accessed their personal details. The mobile phone giant said 1,827 accounts had been breached, potentially providing criminals with customers’ names, mobile numbers, bank sort codes and the last four digits of their bank accounts.

An investigation was launched by the company before the National Crime Agency, Ofcom and the Information Commissioner’s Office were informed on Friday evening. Vodafone said its security protocols were “fundamentally effective” and that no credit or debit card details had been accessed.